API Key Management

09. 01. 2025 Updated: 27. 03. 2026 1 min read intermediate

API keys are the simplest form of authentication — and the most frequently compromised. Keys in GitHub, in the frontend, with no expiration.

Generation¶

import secrets, hashlib def generate_api_key(prefix=”sk”): raw = secrets.token_urlsafe(32) full = f”{prefix}_{raw}” hash = hashlib.sha256(full.encode()).hexdigest() return full, hash # full → to the user ONCE, hash → to DB

Storage¶

API Key Management¶

✅ os.environ[‘STRIPE_API_KEY’]¶

✅ Secret manager (Vault, AWS SM, Azure KV)¶

Best Practices¶

Hash keys in the DB (SHA-256)
Prefix to distinguish (sk_live_, sk_test_)
Expiration and rotation
Scope — minimal permissions per key
Pre-commit hooks (gitleaks, truffleHog)

Key Takeaway¶

Hash API keys, rotate them, limit scope. Never commit them to Git.

securityapiklíčemanagement

CORE SYSTEMS team

We build core systems and AI agents that keep operations running. 15 years of experience with enterprise IT.

All articles

More know-how

CORS Configuration — Cross-Origin Resource Sharing

Proper CORS configuration. Preflight requests, Access-Control headers.

Post-Quantum Cryptography — How to Prepare for Migration

NIST standards are finalized, Q-Day is approaching. A practical guide to migrating to post-quantum algorithms for...

Deno 2 for Enterprise — Secure Runtime and JSR Ecosystem

Deno 2 in the enterprise: a security-first approach, Node.js compatibility, JSR registry, the Fresh framework and...

Zero Trust per NIST 800-207 — 12-Month Implementation Roadmap

A practical guide to implementing Zero Trust Architecture following NIST 800-207. Identity-centric security,...